Anatomy of a hack

In the last 48 Hours Loudmouthman.com wordpress site was compromised. One of the side effects of this infection was that Live Writer stopped publishing to my blog and would return ‘blogger.getByUsers’ authentication and validation errors.

I have yet to work out what vector was used to add additional code to my site but it appears that the automated tools which injected the code are running depsite the payload no longer being available ( though that will change as the code evolves ) The additional code was injected into the top of every .php file in the root of my wordpress installation and it came to light when my own scripts emailed me to say that the files contained some key phrases that had I was looking for.

Before I discuss my method of scanning and maintenance lets have a look at the core infection; warning this code is not defanged and if your try it out then please realise I do not accept responsibility for you pulling the trigger.

The Infection :

FOR TESTING PURPOSES I RAN THIS SCRIPT IN THE CONSOLE OF A STAND ALONE VIRTUAL MACHINE WITH NO INTERNET ACCESS.

If I had been an Internet Explorer user then pages served from http://loudmouthman.com would have been making a call to GlobalPowerGathering to return a script.

I cant find the contents of the script because the site in question will not return a response. Further if you are surfing with Comodo , Google DNS or Chrome you are warned about visiting that site since it may contain malware.

Doing some research on Google I belive that had the script worked it would have attempted to launch a Malware page which would have created a Fake Antivirus page examples of which can be seen if you search google for “fake antivirus popup” The script targeted Windows IE users which meant the script was not being called if you visited from any other browser.

Having defanged my own WordPress files and reset the security flag on my site I checked with Google to see if they felt I was a problem website. Visiting Google Safebrowsing page will let you know if your site has in the last 90days been reported as a problem.

With my site cleaned up I went ahead and checked my Friends and Clients websites to check they too were not infected or reported on Google. Thankfully we came up clean.

Prevention

Outside of ensuring that I keep wordpress as upto date as is safe and using lockdown and admin login tools to monitor access to the websites I have a script which runs every hour and scans for keyphrases or words inside the files on my sites. If the magic pattern makes a match then I get an email and can log in via the shell and begin to repair the damage ( usually by replacing the files with a clean copy of wordpress ) You can automate a lot of this process but nothing beats the intervention of a human for double checking against a false positive.

I might have chosen not to admit that I was infected , l I run a business that helps reduce this from happening and it could be perceived as a failure on my part. I feel that honesty and information are a more valuable currency and hopefully the above will help others in diagnosing their problems.

Would you kindly provide a sample of your script that you use to monitor your site(s) even if only by e-mail? I’d love to be able to do this with several that I administer including library and critical incident stress management team Web sites.